2ea94241af
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
137 lines
4.1 KiB
YAML
137 lines
4.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
labels:
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
name: settings
|
|
namespace: ocis
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: settings
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 25%
|
|
maxUnavailable: 25%
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
|
|
labels:
|
|
app: settings
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- settings
|
|
- server
|
|
command:
|
|
- ocis
|
|
env:
|
|
- name: MICRO_REGISTRY
|
|
value: nats-js-kv
|
|
- name: MICRO_REGISTRY_ADDRESS
|
|
value: nats:9233
|
|
- name: OCIS_CORS_ALLOW_ORIGINS
|
|
value: https://drive.tr1ceracop.de
|
|
- name: OCIS_CACHE_STORE
|
|
value: nats-js-kv
|
|
- name: OCIS_CACHE_STORE_NODES
|
|
value: nats:9233
|
|
- name: OCIS_CACHE_DISABLE_PERSISTENCE
|
|
value: "true"
|
|
- name: OCIS_DEFAULT_LANGUAGE
|
|
value: en
|
|
- name: SETTINGS_LOG_COLOR
|
|
value: "false"
|
|
- name: SETTINGS_LOG_LEVEL
|
|
value: info
|
|
- name: SETTINGS_LOG_PRETTY
|
|
value: "false"
|
|
- name: SETTINGS_TRACING_ENABLED
|
|
value: "false"
|
|
- name: SETTINGS_TRACING_TYPE
|
|
value: jaeger
|
|
- name: SETTINGS_TRACING_ENDPOINT
|
|
value: null
|
|
- name: SETTINGS_TRACING_COLLECTOR
|
|
value: null
|
|
- name: SETTINGS_DEBUG_PPROF
|
|
value: "false"
|
|
- name: SETTINGS_HTTP_ADDR
|
|
value: 0.0.0.0:9190
|
|
- name: SETTINGS_GRPC_ADDR
|
|
value: 0.0.0.0:9191
|
|
- name: SETTINGS_DEBUG_ADDR
|
|
value: 0.0.0.0:9194
|
|
- name: SETTINGS_ADMIN_USER_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: user-id
|
|
name: ocis-admin-user
|
|
- name: SETTINGS_JWT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: jwt-secret
|
|
name: ocis-jwt-secret
|
|
- name: SETTINGS_SERVICE_ACCOUNT_IDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: service-account-id
|
|
name: auth-service
|
|
- name: OCIS_SYSTEM_USER_API_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: api-key
|
|
name: ocis-storage-system
|
|
- name: OCIS_SYSTEM_USER_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: user-id
|
|
name: ocis-storage-system
|
|
image: owncloud/ocis:7.1.4
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /healthz
|
|
port: metrics-debug
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 20
|
|
timeoutSeconds: 10
|
|
name: settings
|
|
ports:
|
|
- containerPort: 9190
|
|
name: http
|
|
- containerPort: 9191
|
|
name: grpc
|
|
- containerPort: 9194
|
|
name: metrics-debug
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
volumeMounts: null
|
|
nodeSelector: {}
|
|
securityContext:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
volumes: null
|